TOOLS / SIGMA

Sigma Rule Converter

Translate a Sigma detection rule into Splunk SPL, Elastic KQL/EQL, and Microsoft Sentinel KQL. Pure JavaScript — your rule is never sent anywhere. Educational converter; verify the output against your SIEM’s field schema before deploying.

Target backend:

What it does

Sigma is the vendor-neutral YAML format for SIEM detection rules. The open Sigma rule repository contains thousands of community detections, but actually deploying them requires translation to your SIEM’s query language: Splunk SPL, Elastic Lucene/KQL, Microsoft Sentinel KQL, etc. The canonical converter is the open-source `sigmac` / `pySigma` toolchain — our web converter is a simpler educational version for quickly previewing how a rule looks in each backend. For production deployment we recommend running pySigma locally so you can apply field-mapping profiles per data source.

How to use it

Paste a Sigma rule (YAML) in the textarea. Click "Load sample" to start from an example.
Pick the target backend: Splunk SPL, Elastic KQL, or Sentinel KQL.
Click "Convert" — the equivalent query renders below.
Copy and paste into your SIEM’s search bar.
IMPORTANT: verify field names match your data source. Sigma uses Sysmon field names by default; your data might use ECS or DeviceProcessEvents schemas.

Common use cases

Detection library exploration Browse SigmaHQ’s rule repo; paste interesting rules here to preview the query before deciding to deploy.

Cross-SIEM migration Moving from Splunk to Elastic? Use Sigma as an intermediate format and convert each rule.

Detection-engineer onboarding Show new hires how the same logic translates across SIEM dialects — speeds up multi-platform fluency.

Tabletop / purple-team prep During exercises, quickly draft Sigma in the abstract, then deploy translated queries to whatever the SOC is using.

Frequently asked questions

Is this production-ready? +

For simple rules with explicit fields — yes. For complex rules with multiple selections, aggregations, or backend-specific functions, use the official pySigma CLI with proper field-mapping profiles.

Why don’t my field names match? +

Sigma defaults to Sysmon-style fields (`Image`, `CommandLine`). Your SIEM might use ECS (`process.executable`), DeviceProcessEvents (`InitiatingProcessFileName`), or Splunk CIM (`Processes.process_path`). Edit the converted query to match.

Why doesn’t my rule parse? +

Our converter handles the common case: single or multiple selection blocks with field|modifier: value (or list of values), plus a condition. Aggregations (`count by` / `count() > N`) aren’t implemented yet.

Can I convert backward (SPL → Sigma)? +

Not yet. Reverse-converting a SIEM query into Sigma is non-trivial — different SIEMs express the same logic in irreconcilable ways. Future feature.